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Nader  Mehravari 

Research  Scientist,  CERT®  Division 

Dr.  Nader  Mehravari  is  with  the  CERT®  Program  at  the  Software  Engineering 
Institute  (SEI),  a  unit  of  Carnegie  Mellon  University  in  Pittsburgh,  PA.  His  current 
areas  of  interest  and  research  include  operational  resilience,  protection  and 
sustainment  of  critical  infrastructure,  preparedness  planning,  and  associated  risk 
management  principles  and  practices. 

Nader  was  with  Lockheed  Martin  from  1992  through  201 1 .  In  his  most  recent 
assignment,  he  was  the  Director  for  Business  Resiliency.  In  this  capacity,  he  led  and 
oversaw  all  preparedness  planning  and  associated  governance  and  compliance 
activities.  He  was  responsible  for  building  and  leading  Lockheed  Martin's  resiliency 
program  where  he  successfully  implemented  a  modern,  integrated,  risk  management 
based  approach  to  disaster  recovery,  business  continuity,  pandemic  planning,  crisis 
management,  emergency  management,  and  workforce  continuity  for  all  of  Lockheed 
Martin. 
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“The  American  Red  Cross  prevents  and  alleviates  human 
suffering  in  the  face  of  emergencies  by  mobilizing  the 
power  of  volunteers  and  the  generosity  of  donors.” 
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To  provide  prompt,  reliable,  and  efficient  services  to 
patrons  in  all  areas  and  ...  render  postal  services  to  all 
communities.” 
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“Provides,  operates,  and  assures  command  and  control, 
information  sharing  capabilities,  and  a  globally  accessible 
enterprise  information  infrastructure  in  direct  support  to  joint 
Warfighters,  National  level  leaders,  and  other  mission  and 
coalition  partners  across  the  full  spectrum  of  operations.” 
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Micron  Chief  Dies  in  Crash 

Steve  Appleton  Loved  Fast  Jets,  Cars;  Td  Rather  Die  Living  Than  Die  Dying' 
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By  SHARA  TIBKEN  and  DON  CLARK 


MU  0.00% 


Steven  R.  Appleton,  chairman  and  chief  executive  of  Micron  Technology  Inc, 
and  one  of  the  most  prominent  figures  in  the  semiconductor  industry,  died  Friday  when 
the  high-performance  airpiane  he  was  piloting  crashed  at  Boise,  idaho's  airport. 

The  death  of  the  51 -year-old  stunned  Micron,  the  well-known  maker  of  memory  chips 
based  in  the  same  city,  and  comes  at  a  time  of  rapid  change  for  the  company  and  its 
industry. 

The  National  Transportation  Safety  Board 
is  investigating  the  accident,  which 
happened  soon  after  Mr.  Appieton  took 
off  aione  in  a  single-engine  Lancair.  The 
plane,  from  a  maker  of  aircraft  kits,  had 
taken  off  and  landed  once  ancLwas 
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ByJON  OSTROWER 


WICHITA.  Kan. — key  Boeing  Co.  [  BA-t-2.51%  |  supplier  said  it  aims  to  res'? 
deliveries  by  the  end  of  the  week  after  tornadoes  battered  its  factories  here 
highlighting  the  fragility  and  resilience  of  the  aerospace  giant's  global  sup| 
it  works  to  sharply  increase  production. 

The  storms  late  Saturday  caused  significant*to-major  damage  to  10  buildi 
flagship  campus  of  Spirit  AeroSystems  Inc.,  which  makes  fuselages  and 
for  Boeing’s  hot-selling  737,  777  and  787  Dreamliner  passenger  jets.  Spirit 
said  production — ^which  normally  runs  seven  days  a  week— would  be  susp 
least"  through  Tuesday,  and  that  it  expects  "near-term  production  disrupti 
including  delivery  impacts"  to  customers. 

Spirit  spokesman  Ken  Evans 
assessments  found  most  of  i 
machinery  and  inventory  intact.  "We 
believe  we  can  use  the  facilities  we've 
got,"  he  said  in  an  interview  here  in 
Wichita,  a  major  manufacturing  hub  for 
the  aerospace  industry.  "We  ikn't 
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By  JEFF  BENNETT  And  JAN  HROMADKO 

Production  shortfalls  at  a  single  German  auto-parts  supplier  are  beginnii 
through  the  global  auto  business. 


car  makers 


The  explosion  at  a  German  chemicals  plant  two  weeks  ago  which  killec 
two  workers,  has  thrown  the  global  car  industry  into  turmoil  as 
manufacturers  run  short  of  a  vital  component,  prompting  an  emergency 
meeting  in  Detroit. 


More  than  200  auto  executives  met  in  a  Detroit  suburb  on  Tuesday  to  evaluate  a 
looming  shortage  of  a  relatively  obscure  resin  essential  to  modern  auto  production. 


Inventories  of  the  resin  are  being  depleted  a 
Industries  AG  plant  in  Marl,  Germany,  that 
itself  as  the  only  integrated  maker  of  the  rej 
lines. 


WHAT  ‘OBSCURE’  BUT  ESSENTIAL  COMPOUND  SHORTAGE 
HAS  THE  AUTO  INDUSTRY  WORRIED  ABOUT  PRODUCTION? 


frofe 


Ter  tnis  year 


production! 
and  expect  that  the  works  to  fully  repair 
the  plant  will  take  at  least  three 
months."  an  Evonik  spokeswoman  said. 
Several  Evonik  executives  attended  the 
meeting  on  Tuesday. 
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BySAURABH  CHATURVEDI  AndSANTANU  CHOUDHURY 


NEW  DELHI-Much  Of  India's  electricity  supply  network  collapsed  Tuesday  in  the 
country's  second  major  outage  in  two  days,  affecting  more  than  680  million  people 
—double  the  population  of  the  U  S  — and  causing  business  losses  estimated  to  run  into 
the  hundreds  of  millions  of  dollars. 
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Thousands  of  offices  and  factories  had  to 
switch  to  generators  or  shut  shop,  more 
than  200  trains  were  brought  to  a 
standstill  while  hospitals  had  to  ask 
nurses  to  manually  work  critical 
equipment  such  as  ventilators  as  21 
provinces  experienced  a  near-total 
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Computer  Glitch  Halts  American  Airlines  Flights 

The  Federal  Aviation  Administration  is  holding  all  American  Airlines  flights  at  their  origin 
airports  until  at  least  5  p.m.  Eastern  time  on  Tuesday  while  the  carrier  tries  to  resolve  a 
nationwide  outage  to  its  reservations  system. 
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Tracking  the  storm 

The  worst  of  the  powerful 
hurricane  is  expected 
Monday  night  into  Tuesday 


The  city  is  in  a  virtual 
lockdown  as  a  storm  of  un¬ 
precedented  character 
sl^nied  into  the  Eait  Coast, 
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Boston  transit  shut  down,  nearly  1  million 
sheltering  in  place  amid  terror  hunt 
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Advanced  persistent  threat  (APT)  usually  refers  to  a  group,  such  as  a 
effectively  target  a  specific  entity.  The  term  is  commonly  used  to  refer  to 
intelligence  gathering  techniques  to  access  sensitive  information^^^  but 
Other  recognized  attack  vectors  include  infected  media,  supply  chain 
usually  referred  to  as  an  APT  as  they  rarely  have  the  resources  to  be  both 
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Chinese  Hackers  Hit  U.S.  Media 

Wall  Street  Journal,  New  York  Times  Are  Breached  in  Campaign  That  Stretches  Back 
Several  Years 


BySIOBHAN  GORMAN,  DEVLIN  BARRETT  and  DANNY  YADRON 

WASHINGTON — Chinese  hackers  believed  to  have  government  links  have  been 
conducting  wide-ranging  electronic  surveillance  of  media  companies  including  The 
Wall  Street  Journal,  apparently  to  spy  on  reporters  covering  China  and  other  issues, 
people  familiar  with  the  incidents  said. 

Journal  publisher  Dow  Jones  &  Co.  said  Thursday  that  the  paper’s  computer  systems 
had  been  infiltrated  by  Chinese  hackers,  apparently  tn  mnmtnr  itg  China  rrwpranp 
New  York  Times  Co.  [  nyt-»o.ii%  |  disclosed  Wed 
^pap^4g^lAidAMithe  victim  ofcvbirspyi 
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More  companies  repoi*tiiig  cybersecurity 
incidents 


Ellen  Nakashima  and  Danielle  Douglas,  Published:  March  i 

At  least  19  financial  institutions  have  disclosed  to  investors  in 
computers  were  targets  of  malicious  c>"berassaults  last  year,  a. 
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institutions,  have  repoil 
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}ilities,  whereas  the  intent  ofi 
>  been  to  simply  cause 


Are  the  ongoing  DDoS  attacks  against  U.S.  banks 
just  the  calm  before  the  storm? 

byAvivah  Litan  |  March  14,2013  |  1  Comment 

That's  a  viable  hypotheses  after  hearing  that  the  attackers  only  used  one  third  of  the  bandwidth 
they  had  staged  for  their  latest  round  of  attacks  against  U.S.  banks  last  Tuesday.  Reportedly  on 
Tuesday  the  total  size  of  the  DDoS  attack  was  190  gigabits  at  one  time,  with  the  largest  attack 
against  a  single  bank  at  110  gigabits. 

Interestingly  the  attackers  could  have  easily  done  even  more  damage  but  they  chose  not  to. 
9200  bots  were  identified  as  attack-capable  but  the  total  number  of  bots  actually  involved  in 
sending  the  DDoS  traffic  to  the  banks  numbered  only  about  3200.  The  other  6000  bots  sat  there 
doing  nothing. 
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False  AP  Twitter  Message  Sparks  Stock-Market  Selloff 

BySHIRA  OVIDE 


The  Associated  Press  said  Tuesday  its  Twitter  account  was  compromised,  resulting 
in  a  false  message  on  the  service  that  explosions  in  the  White  House  had  injured 
President  Barack  Obama.  The  message  briefly  sparked  selloff  on  U.S.  stock  markets. 


'The  Twitter  account  has  been  hacked,"  the  A&said  in  a  statement  Tues< 
tweet  about  an  attack  on  tne  White  House  is  false." 


Other  Twitter  accounts  associated  with  Associated  Press  were  quick  to  < 
false  Twitter  message,  which  was  posted  just  after  1  p.m.  Eastern  time. : 
afterward,  the  news  organization's  main  Twitter  account  was  suspended 
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Bv  Jeremy  Kirk 


October  17,  2012  —  IDG  News 
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Patients  Put  at  Risk  By  Computer  Viruses 

By  CHRISTOPHER  WEAVER 

The  Food  and  Drug  Administration  is  warning  makers  of  heart  monitors, 
mammogram  machines  and  myriad  other  medical  devices  that  their  gear  is  at  risk  of 
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Challenges  to  Organizational  Mission 


Operational  mission  of  organizations  is  under  stress  on  a 
minute-by-minute  basis. 


The  stress  comes  from 


•  pervasive  use  of  technology 

•  globalization 

•  complexity  of  business  processes 

•  operational  complexity 

•  movement  toward  intangible  assets 

•  global  economic  pressures 

•  open  borders 

•  geo-political  pressures 

•  regulatory  and  legal  boundaries 

•  intertwining  of  cyber  and  physical  domains 


...and  is  exasperated  by  increased  intertwining  of  cyber  and  physical  domains. 
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Disruptive  Events 


Natural 

or 

Manmade 

•  Fire  \ 

•  Flooding  \ 

•  IT  failures  \ 

•  Earthquakes  \ 

•  Cyber  attacks  \ 

Accidental 

or 

Intentional 

•  Severe  weather  \ 

•  Network  failures  \ 

•  Technology  failures  \ 

•  Organizational  changes  \ 

•  Loss  of  service  provider  \ 

Small 

or 

Large 

•  Strikes  or  other  labor  actions  \ 

•  Loss  of  customer  or  trading  partner 

•  Chemical,  biological,  and  nuclear  hazards 

•  Unavailability  of  workforce 

•  Failed  internal  processes  / 

Information 

Technology 

or 

Not 

•  Supply  chain  disruption  / 

•  Employee  kidnappings  / 

•  Workplace  violence  / 

•  Data  corruption  / 

•  Product  failure  / 

Cyber 

or 

Kinetic 

•  Power  outages  / 

•  Civil  unrest  / 

•  Terrorism  / 

•  Fraud  / 

•  Etc.  / 
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Result  in 
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Business 

Processes 


.through  which  operational 

risks  are  realized 
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Ever-Increasing  Capability  &  Complexity 
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Yesterday’s  mission  success  would  have  been... 
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Today  mission  success  is  about 


and  more... 
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Yesterday’s  Mission  Protection 


Continuity  of  Operation 
(COOP) 


Business 

Continuity 


Emergency 

Response 


/ - \ 

IT  Disaster  Recovery 

\ _ / 
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Today’s  Mission  Protection 


Business 

Continuity 


Contingency  Planning 


1 

Emergency 

Management 

Crisis 
Management 


Risk 

Management 


Operational  Risk 
Management 


Enterprise  Risk 
Management 
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Today’s  Business  Environment 


Business  Consequences  of 
Operational  Glitches 

/  \ 


Today’s  Business  Environment  Is  Much  Less  Forgiving 
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Operational  Risk 


A  form  of  risk  affecting  day-to- 
day  business  operations 

A  very  broad  risk  category 

•  from  high-frequency  low-impact  to 
low-frequency  high-impact 

Exacerbated  by 

•  actions  of  people 

•  systems  and  technology  failures 

•  failed  internal  processes 

•  external  events 

•  bad  decisions 
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Why  do  operational  risks  matter? 

Trust  and  confidence  of  employees  and  customers 
Reputation  and  image 

Regulatory  compliance,  fines,  and  legal  penalties 

Customer  retention  and  growth 

Life,  safety,  and  health  of  customers  and  employees 

Productivity  and  profitability 

Organizational  survival 


...  because  they  have  explicit  and  direct  IMPACT 
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re'Sil'ience  noun  [ri-'zil-yans] 


power  or  ability  to  return  to  the  original  form, 
position,  etc.  after  being  bent,  compressed, 
or  stretched 


ability  of  an  ecosystem  to  return  to 
its  original  state  after  being 
disturbed 


ability  to  recover  readily  from  illness, 
depression,  adversity,  or  the  like 


capability  of  a  strained  body  to 
recover  its  size  and  shape  after 
deformation 


physical  property  of  a 
material  that  can  return  to  its 
original  shape  or  position 
after  deformation  that  does 
not  exceed  its  elastic  limit 


ability  to  recover  from 
or  adjust  easily  to 
misfortune  or  change 


ability  to  provide  and 
maintain  an  acceptable 
level  of  service  in  the  face 
of  faults  and  challenges  to 
normal  operation 
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Operational  Resilience 


The  emergent  property  of  an  entity 


•  that  can  continue  to  carry  out  its  mission 
in  the  presence  of  operational  stress  and 
disruption  that  does  not  exceed  its  limit 


•  to  meet  its  mission  under  times  of 
disruption  or  stress  and  return  to 
normalcy  when  the  disruption  or  stress  is 
eliminated 
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Operational  Resilience 


The  emergent  property  of  a 


that  can  continue  to  carry  out  its  mission 
in  the  presence  of  operational  stress  and 
disruption  that  does  not  exceed  its  limit 


to  meet  its  mission  under  times  of 
disruption  or  stress  and  return  to 
normalcy  when  the  disruption  or  stress  is 
eliminated 


Organization 
Nation 
Armed  Forces 
Critical  Infrastructure 
System 
Network 
Supply  Chain 
Community 
An  Ecosystem 
Cyberspace 
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An  Analogy:  Health 


Is  there  a  place  that  you  can  purchase 
health? 


Is  there  a  place  where  health  is 
manufactured? 


How  do  you  become  healthy? 


Health  &  Resilience:  They  are  both  emergent  properties. 
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Operational 


&  Mission  Success 


To  be  operationally  resilient, 
cyber-  and/or  kinetic-enabled 
missions  must  address 
operational  risk  on  a  number 
of  “planes.” 


Operational  Efforts  Must  Consider  and  Enable  Such 

Multidimensionality 
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Organizational  Mission  -  Revisited 
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Services  and  Products 


Organization 

Mission 


CO 

CO 


V 


o 

CO 

o 
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"0 

5 

Q. 

C 

o 


Outputs  of  an  organization 

can  be  internally  or  externally  focused. 

Collectively  they  enable  an  organization’s  mission. 


Example:  U.S.  Postal  Service 


Mission  of 

I  IQDC 
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Productive  Activities  or  Business  Processes 


(/) 

CD 
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O 

CD 
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Q. 
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^  Productive  ^ 
Activity  or 
Business 
Process 

L  A  J 


^  Productive  ^ 
Activity  or 
Business 
Process 


^  Productive  ^ 
Activity  or 
Business 
Process 


^  Productive  ^ 
Activity  or 
Business 
Process 

I  D  J 


Organization 

Mission 


Activities  that  the  organization  (and/or  its  suppliers)  perform  to  ensure  that 
services  and  products  are  generated 

A  service  or  product  is  made  up  of  one  or  more  business  processes. 
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Example:  U.S.  Postal  Service 


UNITEDSTATES 

POSTAL  SERVICE. 
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Engineer¬ 

Mail 

UPS& 
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Vehicle 

FiGGt 
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Services 

Services 

Services 

Services 
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Services 

Services 
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Assets 


Something  of  value  to  the  organization 

Asset  value  relates  to  the  importance  of  the  asset  in  meeting  the  service 
mission. 
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Asset  Types  of  Importance  to  Operational 
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Asset  Types 


Something  of  value  to  the  organization 

Asset  value  relates  to  the  importance  of  the  asset  in  meeting  the  service 
mission. 
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Example:  U.S.  Postal  Service 


UNITEDSTATES 

POSTAL  SERVICE. 


D 
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3 

CD 
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Payroll 

IT 

HR 

Inspection 

Software 

DgvgI- 

Engineer¬ 

Mail 

UPS& 

FedEx 

Vehicle 

FiGGt 

Airiine 

Etc. 

Services 

Services 

Services 

Services 

opment 

ing 

Sorting 

Services 

Services 

Services 

/^ODle  Assets 

/info.  Assets 

/ifech.  Assets 

/^cilitv  Assets 

•  574,000  employees 

•  National  address  database 

•  APC  kiosks 

•  30,000+  facilities 

•  Mail  carriers 

•  National  zip  code  database 

•  AFCS/OCR 

•  200,000+  vehicles 

•  Postal  Inspectors 

•  Customer  PM 

•  APPS  machines 

•  HQ  building 

•  Postmasters 

•  Employee  Pll 

•AFSM,  APES,  UFSM,  PARS 

•  Raleigh  data  center 

•  Truck  drivers 

•  Data  associated  with  each 

•  Computers 

•  Eagan  data  center 

•  Mechanics 

piece  of  mail 

•  Servers 

• P&DCs 

•  Software  developers 

•  Information  processed  by 

•  Laptops 

•  70,000+  stores,  banks. 

•  Network  engineers 

USPS.com 

•  300K+  handheld  scanners 

and  ATMs  that  sell  stamps 

•  Postmaster  general 

•  Etc. 

•  PBX 

•  Etc. 

V^nspector  general 

J 

VEtc.  y 
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Service  or  Product 


Operational  Resilience  Starts  at  Asset  Level 


Productive 
Activity  or 
Business 
Process 
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Productive 
Activity  or 
Business 
Process 
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Realized  operational  risk 
resulting  in  asset  disruption 
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Operational  Resilience  Starts  at  Asset  Level 


Analogy  -  Protection  and  Sustainment  Strategies 


Protection  Activities 

•  Translate  into  activities  designed 
to  keep  assets  from  exposure  to 
disruption 

•  Example:  “security”  activities,  but 
may  also  be  embedded  in  IT 
operations  activities 


Sustainability  Activities 

•  Translate  into  activities  designed 
to  keep  assets  productive  during 
adversity 

•  Example:  “business  continuity” 
activities 
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Service  or  Product 


Asset  Disruption 
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Organizational  Context  for 


Activities 
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Productive 
Activity  or 
Business 
Process 
A 


Productive 
Activity  or 
Business 
Process 
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Productive 
Activity  or 
Business 
Process 
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Productive 
Activity  or 
Business 
Process 
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People 

Information 

Technology 

Facility 

Supply 

Assets 

Assets 

Assets 

Assets 

Chain 

Operational 

Resilience 

Management 

Systems 


Resilience 

Process 


I 


Resilience 

Process 


Resilience 

Process 


Resilience 

Process 


IV 


Organization 
Mission 


AAAA 


This  is  where 
operationai 
resiiience 
management, 
protection,  and 
sustainment  begin. 
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Software  Engineering 


Is  there  one  place  that  I  can  go  to  see 
what  are  all  the  right  things  that  an 
organization  should  do  in  order  to 
improve  and  manage  its  operational 
resilience  in  a  systematic,  practical, 
and  proven  manner? 
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CERT  Resilience  Management  Model  (CERT-RMM) 


CERT  -RMM,  Version  1.1 


CERT  Resilience 
Management  Model 


A  Maturity 
Model  for 
Managing 
Operational 
Resilience 


Richard  A.  Caralli 
Julia  H.  Allen 
David  W.  White 


http://www.cert.org/resilience/ 


/  Framework  for  managing  and 
improving  operational  resilience 


“...an  extensive  super¬ 
set  of  the  things  an 
organization  couid  do  to 
be  more  resiiient.  ” 


— CERT-RMM  adopter 
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Desired  Integrated  Approach 


Pull  for  Integrated  Cyber  Resilience 


/ill X  r:4i:>c/ajlii jju^  ju  J i 


The  Q 
Home 


Department  of  Defense 


Federal  Computer 


Blueprint  for  a 
Secure  Cyber  Future 


The  Blueprint  lists  four  goals  for  protecting  critical  information  infrastructure: 


Reduce  Exposure  to  Cyber  Risk 
Ensure  Priority'  Response  and  Recovery' 
Maintain  Shared  Situational  Awareness 
Increase  Resilience 


CYBERSPACE 
POLICY  REVIEW 


Assurin^Trusted  and  Resilient  I^trmation 
and  CullllliuiiniiKiuiiu  IiifllCtructure 


In  Information  and  communica¬ 


tions  Infrastructures  Is  Insufficient.  The  government  needs  to  Increase  Investment  In  research  that 
will  help  address  cybersecurity  vulnerabilities  while  also  meeting  our  economic  needs  and  national 
security  requirements. 


Updated  homeland  security  strategy 
emphasizes  resilience 


S&T  Emphasis  Areas 


'M-i 

The  Department  has  identified  seven  priorities: 

•  Defense  Strategic  Guidance 

•  Autonomy 

•  Counter  Weapons  of  Mass|  Destruction 

•  Cyber  Sciences 

•  Data-to-Decisions 


Engineered  Resilient  Systems 
Human  bystems 


Research  on  new  approaches  to  achieving  security  and  resiliency 
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Software  Engineering  Institute 


Carnegie  Mellon  University 


A  Sampling  of  CERT-RMM  Applications  and  Derivatives 


CERT-RMM, 


Version  1  . 1 


CERT  Resilience 
Management  Model 

A  Maturity 
Model  for 
Managing 
Operational 
Resilience 

Richard  A.  Caralli 
Julia  H.  Allen 
David  W.  White 
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Department  of 
Homeland  Security 


Homeland 

Security 


Cyber  Resilience  Review 


o  X  Si  a 


The  Cyber  Security  Evaluation  Program  [CSEP), 
within  the  Department  of  Homeland  Seauity's  pHS) 
National  Cyber  Security  Division  [NCSD),  conducts  a 
no-oost  voluntary  Cyber  Resihence  Review  [CRR)  to 
evaluate  and  enhance  cyber  security  capacities  a^ 
capabilities  widiin  all  18  Critical  Inh-asbiicture  and 
Resources  (QKR)  Sectors,  as  well  as  State,  Local 
Tribal  and  TenritoriaJ  (SLTT)  governments.  The  CRR 
seeks  to  understand  cyber  security  management  of 
sendees  (and  associated  assets)  critical  for  an 
organization's  mission  success  by  focusing  on 
protection  and  sustainment  practices  within  ten  key 
domains  diat  contribute  to  the  overall  cyber 
resihence  of  an  organization. 

Overview 


The  CRR  is  based  on  the  CERT  Resihence 
Management  Model  (CERT-RMM)  developed  by 
Carnegie  Mellon  University's  Software  Engineering 
Institute  [www.cerLorg/r^ilience/rmm.html].  The 
goal  of  the  CRR  is  to  develop  an  understanding  of  an 
organization's  operational  resilience  and  ability  to 
manage  cyber  risk  to  its  critical  services  and  assets 
during  normal  operations  and  during  times  of 
operational  stress  and  crises. 

The  CRR  seeks  to  ehdt  die  current  state  of  cyber 
security  management  practices  from  key  cyter 
security  personnel — Chief  Information  Officers,  Chief 
Information  Security  Officers,  and  those  responsible 
for  management  of  IT  Security,  IT  Operations,  and 
Business  Continuity. 

The  CRR  results  in  a  report  that  summarizes 
observed  strengths  and  weaknesses  in  each  domain 
and  provides  options  for  consideration  containing 
general  guidance  or  activities  aimed  at  improving  the 
cyber  security  posture  and  preparedness  of  an 
organization. 


CRR  Domains  &  Asset  Types 


The  CRR  focuses  on  the  following  ten  domains: 

1.  Asset  Management 

2.  Configiuation  and  Change  Management 

3.  Risk  Management 

4.  Controls  Management 

5.  Vulnerability  Management 

6.  Incident  Management 

7.  Ser\1ce  Continuity  Management 

8.  External  Dependencies  Management 

9.  T raining  and  Awareness 

10.  Situational  Awareness 

The  CRR  addresses  the  following  four  asset  types: 

1.  People 

2.  Information 

3.  Technology 

4.  Facihties 


What  to  Expect 

•  The  CRR  is  a  one-day,  on-site  facilitation  and 
interview  of  key  cyber  security  personnel. 

•  The  participants  will  receive  a  (kaft  report  within 
45  calendar  days  to  review  and  provide  feedback 
report  results.  DHS  will  subsequently  issue  a  final 
CRR  Report 

•  CRR  re^ts  are  afforded  protections  under  the 
DHS  Protected  Critical  Infrastructure  Infonnation 
(Pai)  Program  [www.dhs.gov/PCn] —  tiie  results 
are  for  organization  use  and  DHS  does  not  share 
results. 

Contact  Information  for  CRR-related  Inquiries 

Please  address  inquiries  regarding  the  CRR  to: 

CSE@faq.dhs.gov  [Cyber  Security  Evaluations). 


About  DHS  and  NCSD 

DHS  is  responsible  for  safeguarding  our  Nation's  critical 
infrastructure  from  physical  and  cyber  threats  that  can  affect 
national  security,  public  safety,  and  economic  prosperity. 
NCSD  leads  DHS's  efforts  to  secure  cyberspace  and  cyber 
infrastructure.  For  additional  informatioa  please  visit 
www.dhs.COv/cyfaer. 
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ES-C2M2 


ELECTRICITY  SUBSECTOR 

CYBERSECURITY  CAPABILITY  MATURITY  MODEL  (ES-C2M2) 


Version  1.0 

31  May  201 2 
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U.S.  Postal  Inspection  Service  (USPIS) 

The  law  enforcement  arm  of  the  U.S.  Postal  Service 

The  USPIS  has  used  CERT-RMM  to  address  such  operational  risks  as 

•  export  screening 

•  new  product  security 

•  measuring  and  monitoring  risks  associated 
with  fraud 

•  physical  security  and  aviation  screening  for 
international  mail 

•  improved  processes  for  investigative  response 
to  network  security  incidents 
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Lockheed  Martin 


HOME  OUR  WORK  OUR  SOLUTIONS  PRODUCTS  &  SERVICES  LIBRARY  NEW: 


Library 

Seminal  works  and  reference  material  created  by  SEI  staff. 

% 


Search  the  Library  Browse  by  Topic  Browse  by  Type 

- 


Application  of  the  CERT®  Resilience  Management 
Model  at  Lockheed  Martin 


LOCKHEED  MARTIN 


Lockheed  Martin  Corporation  has  collaborated  with  the 
Sofhvare  Engineering  Institute  on  the  application  of  the 
CERT  Resilience  Management  Model  (CERT-RMM)  to 
improve  Lockheed  Martin’s  corporate-wide  business 
continuitv’,  IT  disaster  recovery,  crisis  management,  and 
pandemic  planning  activities.  Two  CERT-RilM  Class  C 
appraisals  have  been  conducted  as  part  of  the  collaboration. 
This  presentation  will  provide  an  overview  of  the  project, 
information  about  the  appraisals,  and  a  summaiv'  of  the  use 
of  the  appraisal  results. 
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CERT 


Software  Engineering  Institute 


Carnegie  Mellon  University 


Hurricane  Sandy  Surprised  Us  in  Many  Ways 
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Most  Talked-About  Subject  Afterward 


Cornell  University 


CHRONICLEONLINC 

March  4.  2013 

Arctic  ice  It^s^jhplified  Superstorm  Sandy  violence 


By  Blaine  Friedlander 

If  you  believe  that  last 
October's  Superstorm  Sandy 
was  a  freak  of  nature  -  the 
confluence  of  unusual 
meteorological,  atmospheric 
and  celestial  events  -  think 
again. 

Cornell  and  Rutgers 
researchers  report  in  the 


She  ycto  JJork  ^tmrs 

Tuesday,  March  19, 2013 


Environment 


WORLD  U^.  N.Y.  /  REGION  BUSINESS  TECHNOLOGY  SQENCE  HEALTH 

A  Blog  About  Energy  and  the  Environment 


SCIENCE  October  30.  2012.  5:46  pm 


1 178  Comments 


IX^Global  Warming^^ntribute 
HuriTciiliy  Sandy 'y  Dwastation? 


to 


By  JUSTIN  GLLIS 


Bloomberg  Businessweek 

Pontics&'=>o 


I  Bute]-; 


1  Global 

Companies  & 

Politics  &  Policy  Technology 

Markets  & 

Innovation  & 

Lifer 

1  Economics 

Industries 

Finance 

Design 

_L_ 

[[global  Warming^^tupid 


By  Paul  M.  Barrett  on  November  01 . 2012  □  n  Q  s-  Q  1282  Comments 

Yes,  yes,  it's  unsophisticated  to  blame  any  given  storm  on 
climate  change.  Men  and  women  in  wiiite  lab  coats  tell 
us— and  the>^re  right— that  many  factors  contribute  to  eacB 
severe  weather  episode.  Climate  deniers  exploit  scientific^ 
atyt 


Clice  ; 


How  Do^^imate  Change  Superstorms  Like  Sandy  More 
Destructive 

By  Joe  Romm  on  Oct  31,  2012  at  5:03  pm 


Hurricane  ^ndv  Damage  F^rtlv 
Caused  B<£fimate  Chanqel^ 
Scientists  Say 

Posted:  11/06/2012  10:06  am  EST  Updated:  11/06/2012  10:06  am  EST 
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Most  Talked-About  Subject  Afterward 


global  Warmingj9upid 


Cornell  University 


CHRONICLE 

March  4.  2013 

C^rctic  ice  loss^^plified  Superstorm  ^ 


By  Blaine  Friedlander 

If  you  believe  that  last 
October's  Superstorm  Sandy 
was  a  freak  of  nature  -  the 
confluence  of  unusual 
meteorological,  atmospheric 
and  celestial  events  -  think 
again. 

Cornell  and  Rutgers 
researchers  report  in  the 


Sl)c  ycUi  JJork  ^tmrs 

Tuesday,  March  19, 2013 


WORLD  U^.  N.Y.  /  REGION  BUSINESS  TECHNOLOGY  SQENCE 

A  Blog  About  Energy  and  the  Environment 


SCIENCE  October  30.  2012.  5:46  pm 


1 178  Comments 


D^^Global  Warming^^ntribute  to 
Humciiliy  Sandy'S  Dwastation? 


By  JUSTIN  GILLIS 


Bloomberg  Businessweek 

Politics &Po  icy 


Cuke  1131 


Global 

Economics 

Companies  & 
Industries 

Politics  &  Policy 

Technology 

^Markets  & 
Finance 

Innovation  & 
Design 

Life?' 

_  1 

No^mber  01. 2012  Kl  fffi  g* 


1282  Comments 


Is  this  the  most 
important 
question  to  ask? 


yes,  if  s  unsophisticated  to  blame  any  gi\^n  storm  on 
change.  Men  and  women  in  wdiite  lab  coats  tell 
^^re  right— that  many  factors  contribute  to  eacB 
jpisode.  Climate  deniers  exploit  scientific  ’ 


Duke 


Superstorms  Like  Sandy  More 


Hurricane  ^ndv  Damage  F^rtlv 
Caused  B<Efimate  Change!^ 
Scientists  Say 

Posted:  11/06/2012  10:06  am  EST  Updated:  11/06/2012  10:06  am  EST 
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A  better  question  to  ask:  How  has  the  national 
risk  environment  changed? 


Movement  from  traditional  wireline 
telephony  to  cell  phones  and 
broadband  cable  telephony 


Cutting  The  Lifeline 

The  percentage  of  cellphone- 
only  households  is  growing 

40?.  July  -  Dec.  20U:  34% 


Source:  CDC/NCHS  surveys  of  156,228 
households  conducted  Jan.  2008-Dec  2011; 
95%  confidence  Interval 
The  Wall  Street  Journal 


(CECT 


“...As  of  2003,  153 
million  Americans  lived 
in  coastal  counties  -  an 
increase  of  33  million 
since  1980  -  and  3.7 
million  lived  within  a  few 
feet  of  high  tide...” 


— Bryan  Walsh,  Time  Magazine, 
November  12,2012 


Dependency  on  large 
number  of  mobile 
devices  needing 
frequent  recharging 
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Expansion  of  National  Risk  Environment 


•  Globalization 
•  Operational  complexity 

•  Pervasive  use  of  technology 

•  Intertwining  of  cyber  and  physical  domains 
Increased  role  of  cybersecurity  in  securing  physical  assets 

•  Movement  toward  intangible  assets 

•  Global  economic  pressures 
'Regulatory  and  legal  boundaries 

•  Geo-political  pressures 


Successful  management  of  operational  risk  may  require  a 
(significant)  shift  in  thinking  and  approach. 
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Protecting  the  enterprise 
remains  a  compiex  and 
muitifaceted  chaiienge. 


Disruptive  events, 
through  which  risks  are 
reaiized,  wiii  continue  to 
surprise  us^ 


Traditionai  toois, 
techniques,  and  methods 
may  not  work  as  weii  in  this 
environment 

How  shouid  an  enterprise 
deai  with  (and  pian  for) 
such  surprises? 


bo 


How  shouid  an 
enterprise  operate  in 
such  an  environment? 
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Promising  Approaches 


Next  generation  of  integrated 
cyber-resiiience  management 
frameworks? 


MODELS 


Resilience  Engineering  - 
A  new  engineering 
discipline? 


EDUCATION 


RISK  MGMT 


Re-shaping  (not 
fighting  with)  the 
risk  landscape? 


Should  organizations  be  legally 
allowed  to  fight  back  when 
under  cyber  attack?  _ 


POLICY 


Mechanisms  to  compose 
resilient  systems  from 
brittle  components? 

1 ^ 

TECHNOLOGY 
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“The  oak  fought  the  wind  and  was  broken, 
the  willow  bent  when  it  must  and  survived.” 

Robert  Jordan,  The  Fires  of  Heaven 


Thank  you  for  your  attention... 
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SEI  Training 


Introduction  to  the  CERT  Resilience  Management  Model 

February  18  -  20,  2014  (SEI,  Arlington,  VA) 

June  17-19,  2014  (SEI,  Pittsburgh,  PA) 

See  Materials  Widget  for  course  document 
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